I have a feathersjs service called documentations. When patching a documentation the user could set the editing field only to his own user._id or to null. Also the user can only patch documenations of his own company.
I have stored my permissions in a MongoDB Database:
...
{
"action": "patch",
"subject": "documentation",
"fields": ["editing", "sections", "title", "published"],
"conditions": {
"company": "${user.belongsTo}"
}
}
...
Is there a way to implement the editing field logic with CASL?
Is there some way to differentiate between query and data conditions?
Frankly speaking this kind of logic in my opinion is BL concern not permissions concern. But you can do smth similar with CASL too, create a separate rule for editing field:
can(“update”, “documentation”, { company: ..., editing: { $in: [null, user.id] } }, [“editing”])
So, each time you update editing just check permissions